Embed Size (px)
Citation preview
COSO Framework
• A company should include IT in all five COSO components:
– Control Environment– Risk Assessment– Control activities– Information and communication– Monitoring
NOTE: COBIT developed to help achieve this goal
Control Environment
• IT should be included in company-wide ethics policies• Capital expenditure policies should include specifics
regarding IT purchases, included approval requirements• Support the achievement of organizations financial
reporting control objectives• Appropriate segregation of duties in IT department itself
Computer systems - Segregation of Duties
Recommended IT department segregation of duties: SystemsAnalyst, Programmer, Computer operator, Testing group, AISLibrarian (data, programs), Manager.
What type of control is this?Preventive
One way for a company to address this risk is to?Share it – can use external consultant for pieces of
application support, or utilize a web based application
Risk Assessment
• IT factors should be included in determining the risk that management objectives related to reliable financial reporting will not occur (SOX section404).
• Examples of IT risks:
– Key system/application not available when needed – Significant information integrity failure (e.g., completeness,
validity, etc.) – Implementation of an unauthorized change to a key
system/application – Failure to properly maintain or update a key
system/application
Risk Assessment IT Factors
• Factors that could increase the likelihood of a risk occurring:
– Complex system and related application(s) – High volume of transactions being processed – History of significant error – High customization of applications – Old/dated system/application – High extent and complexity of revisions made to
system
Control Activity: Computerized Controls
Friend or Foe?
Benefits: Decrease human error, restrict access, decrease duplication of input, audit trail
Detriments: Confidentiality, system integrity, completeness, input errors, audit trail
Internal Controls -Computerized AIS Environment
• Some concepts of controls do not change
– Objective: mitigate risks
– Control Environment: its importance & impact
Internal Controls -Computerized AIS Environment
• Concepts of controls that change:
– Characteristics: Imbedded/automated
– Frequency: Continuous vs. periodic
– Errors: Systemic vs. random
Categories of IT Internal Controls:
1. General Controls – pervasive, relate to the entire system
Examples: physical access restrictions, backup process, policies, disaster recovery, segregation of duties
2. Application Controls – specific, relate to individual portions of the system—or types of transactions
Examples: passwords, security matrix, edit reports, smart fields, batch totals
Control Activities
• Management should ensure that both IT general and application controls exist and support the objectives of the compliance effort. Some of the key areas related to IT include:
– Designing and implementing controls designed to mitigate significant identified IT risks
– Monitoring key IT controls for continued effectiveness
– Documenting and testing IT controls related to §404
Information and Communication
• IT items to consider:
– Define, implement, and maintain system security levels. Periodically review and modify.
– Develop, document and communicate IT policies and procedures
– Process in place to assess compliance with IT policies, procedures and standards
– Investigate IT compliance deviations, remediate as needed
Monitoring
Companies need to evaluate the actual ability of designed controls to reduce risk to an appropriate and planned level. For example:
– Perform evaluation of operating effectiveness of control activities periodically and document them
– Leverage technology to its fullest extent to document processes, control activities, identify gaps and evaluate effectiveness of controls
– Controls are continuously evaluated and updated to reflect necessary major process or organizational changes
Access and safeguarding
• Data protection –passwords, smart fields, firewalls, backup files, security matrix, etc.
• Physical protection – restrict access to computer rooms, monitor access to IT computers/programs, restrict access to internet, etc.
• Uninterruptible power sources-separate grid, backup generator, etc.
• Disaster recovery-hot sites, cold sites, etc.
Security Matrix (Access Control)
• A table listing all authorized users and their corresponding abilities within a system. This should include type of access as well – Read– Change– Delete
• Powerful SOD tool• Change management is key to remaining effective
• Type of control?– Preventive
Problem 7.3
Take 10 minutes and complete Problem 7.3 a.
NOTE: Processing is equal to a 3 (read, modify, create and delete).
7.3 a.: Access Control Matrix
User Group Payroll Program
Inventory Program
Payroll File
Inven.File
Trans.File
Sales 0 0 0 1 0
Inventory Control
0 0 0 3 0
Payroll Clerk 0 0 2 0 0
HR Manager 0 0 3 0 0
P/R Prog. 3 0 1 0 1
Inventory Prog.
0 3 0 1 1
CIO 3 3 3 3 3
Problem 7.3
• Complete part b of problem 7.3. 5 minutes
7.3 b.
1. Inventory control: Should not have create and delete rights to the inventory file. This analyst should only have read, display, and update rights to the inventory program.
2. Human resources manager: Should only have read access right to the payroll file. Also add read to Transaction File as a management review tool.
NOTE:CIO is part of a small company without proper IT segregation of duties. How could this added risk be addressed?
Things to keep in mind regarding IT
• General computer controls should be:
– based on financial reporting requirements– signed off by key business process owners– not left to the sole responsibility of the IT function.
• IT application controls should also be defined by business-user requirements, and not the IT function.
IT Controls and SOX
• IT controls are embedded into controls critical to reliable financial reporting. For example:
– Establishment of data classification (e.g. chart of
accounts, account groupings, or aging)
– User management (e.g., authentication, authorization, or initiation)
– Monitoring of transaction thresholds and tolerance
levels (e.g. smart fields, exception reports, etc.)
– Data processing integrity and validation
SOX and IT
• Management must identify where technology is critical in the support of the financial statement process, including the key systems and subsystems that need to be included in the scope of the SOX compliance project.
• Systems may be within the scope, if they are involved in
the initiation, recording, processing, and/or reporting of financial information.
• Only IT systems that are associated with a significant account or related business process need to be considered for compliance purposes. The higher the risk, the greater the need for relevant IT control assurance.
Factors to consider for SOX inclusion
• Factors that should be considered when determining whether systems need to be reviewed and tested as part of a Sarbanes-Oxley compliance project include:
– Volume of transactions – Dollar-value of transactions – Complexity of transactions – Sensitivity of financial data and reports
